| Author |
|
bcyork
Joined: 07 Aug 2014
Posts: 2
Location: chicgao,il
|
 Posted: Thu 07 Aug '14 23:08 Post subject: Apache 2 Username/Password Protected Directories |
 |
|
Hi, I have been trying to get password protected directories working on my Linode server. It works / behaves in a desktop browser somewhat but not like I am used to with hostmonster. Also for some reason my phone (windows phone  just loads the page in the protected directory without prompting for a password. So I imagine there is some security thing I am missing that none of the info I have found searching talks about. Here is what I have done. I have created a password file and set the permissions correctly on that and it works on the desktop. However when I close the browser or open a private browsing session I am never prompted for a password again. It just feels insecure. Plus my windows phone just loads the page with no prompt. With hostmonster if I closed the browser window it would ask me for the username and password again. I also tested hostmonster directory passwords on my phone and it prompts for a username/password.
Here is what I have added to the apache2.conf file. The rest is pretty much default. There is no .htaccess file for that directory.
<Directory "/var/www/protected">
AllowOverride All
AuthType basic
AuthName "Enter Login"
AuthUserFile /etc/htpasswd/.htpasswd
Require valid-user
Order deny,allow
Allow from user1
</Directory>
It may be worth noting that I have two virtual sites / domain names running on this server at the moment however the one that is being used for this is the primary domain name.
OS: Debian 7.3
Apache 2.2.22
Thanks! |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg
|
| Posted: Wed 13 Aug '14 18:14 Post subject: |
|
|
Please try
<code>
<Directory "/var/www/protected">
AllowOverride none
AuthType basic
AuthName "Enter Login"
AuthUserFile /etc/htpasswd/.htpasswd
Require valid-user
</Directory>
</code> |
|
| Back to top |
|
bcyork
Joined: 07 Aug 2014
Posts: 2
Location: chicgao,il
|
| Posted: Wed 13 Aug '14 20:31 Post subject: |
|
|
Still does the same. Loads without asking for a password on Windows Phone and doesn't ask for a password since I entered a few days ago in Chrome and IE.
Also apache service was restarted after editing config file. |
|
| Back to top |
|
puertoblack2003
Joined: 31 Jul 2009
Posts: 121
Location: U.S
|
|
| Back to top |
|
Jan-E
Joined: 09 Mar 2012
Posts: 1266
Location: Amsterdam, NL, EU
|
| Posted: Fri 15 Aug '14 0:04 Post subject: |
|
|
| bcyork wrote: | Still does the same. Loads without asking for a password on Windows Phone and doesn't ask for a password since I entered a few days ago in Chrome and IE.
Also apache service was restarted after editing config file. |
Did you try rebooting the Windows Phone? |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg
|
| Posted: Fri 15 Aug '14 15:50 Post subject: |
|
|
| Jan-E wrote: | | Did you try rebooting the Windows Phone? |
I agree, even if a windows phone usually never needs a reboot. Mine is on over a year. |
|
| Back to top |
|
Jan-E
Joined: 09 Mar 2012
Posts: 1266
Location: Amsterdam, NL, EU
|
| Posted: Fri 15 Aug '14 17:52 Post subject: |
|
|
The reason I asked to reboot is because http-authentication has some quirks. In some browsers you can force a logout, in some not.
http://code.google.com/p/chromium/issues/detail?id=5497
https://bugzilla.mozilla.org/show_bug.cgi?id=287957
Rebooting might be a way to clear the authentication cache.
Edit: just tested http-authentication in IE11 on Win7. Only completely closing the browser clears the authentication. If a windows phone keeps an instance of the browser open at all times, rebooting is the only way to be sure that the browser closes for a moment. |
|
| Back to top |
|
